iptables +block country

[Harry Strongburg]

On Mon, Aug 16, 2010 at 09:17:56AM +0200, Markus Schönhaber wrote:
> 16.08.2010 08:13, Harry Strongburg:
> > 1) It makes known to them that you "exist", if they didn't already know.
> You can't hide your "existence" by not answering to connection requests.
> If you truly didn't "exist" the last hop *before* your not existing
> machine would send a host unreachable ICMP message. The lack of this
> message shows that something's there.

This is true, but they could also assume that the box is offline and 
behind a NAT if their connects time-out. Dropping ICMP would probably 
help. In the case of SSH scan bots, they usually just scan most 
residential blocks.

> > 2) Wastes bandwidth sending a rejection to them.
> You save the bandwidth a TCP reset / ICMP port unreachable package would
> use. OTOH, the scan-bot might try multiple time because he thinks the
> probe got lost somehow. So, depending on the behaviour of the bot,
> dropping probes might even use more bandwidth.

Good point. My point was that you are not sending out more bandwidth 
than you need to. It also comes into the fact that most residential 
connections have a much higher download rate than upload, which could 
also influence your decision.


But yeah, fail2ban and using a high port for anything with 
authentication has lowered attacking bots to less than one per year. The 
one or two it catches per year appeared to have been manually started, 
not a normal port-22 scan. The one to two that comes in, fail2ban grabs 
and bans them for however long I want! >:) As long as your password is 
"good".